This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| rdhowtos [2016/05/06 21:45] – created admin | rdhowtos [2021/02/08 05:08] (current) – [RADIUSdesk HOWTO's] admin | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Sign up a new Access Provider ====== | + | |
| - | ===== Background ===== | + | |
| - | This page can be used as a reference when you sign up new clients that will be using a RADIUSdesk server which is deployed somewhere on the Internet. | + | |
| - | ===== Our scenario | + | ====== RADIUSdesk HOWTO' |
| - | * You've suggested to your local shopping mall to use MESHdesk as a wireless solution and subsequently deployed a WiFi mesh which covers all the shops including the parking area. | + | |
| - | * They are very happy with the fact that there is now blanket WiFi coverage in all the shops. | + | |
| - | * One of the shops is a coffee shop called **Funky Bean There**. | + | |
| - | * **Funky Bean There** wants to draw more customers and approached you to incorporate them into the mesh. | + | |
| - | * **Funky Bean There** wants to give anyone a daily limit of **500Mb** data for free. | + | |
| - | <WRAP center round info 60%> | ||
| - | We assume you already added their SSID to the mesh network which terminates into a Captive Portal | ||
| - | </ | ||
| - | ===== Steps required ===== | + | <WRAP center round box 100%> |
| - | The following sections will stipulate how to go about in order to add **Funky Bean There** to your server in such a way that they will have their own isolated playpen. We will: | + | |
| - | * Add their owner as an **Access Provider**. | + | |
| - | * Log in as their owner and complete the rest of the set-up. | + | |
| - | ==== Create a new Access Provider | + | ===== Starting Up ===== |
| - | * Log into RADIUSdesk with the **root** user. | + | * [[Getting Started:The Webtop interface|The Home Screen and Menus]] |
| - | * Select **Menu -> Realms & Providers -> Access Providers** | + | * [[Getting Started:App Windows and Panels| Working Inside |
| - | * Add a new **Access Provider** by providing | + | |
| - | ==== Work in you playpen ==== | ||
| - | * You can now **log out** as **root** and **log in** as the newly created **Access Provider**. | ||
| - | * Now you need to: | ||
| - | * Create a Realm called **Funky Bean There** including the upload of their logo | ||
| - | * Create a Profile with it's Profile components to allow a daily usage of 500Mb. | ||
| - | * Create a **Click-To-Connect** user with the 500Mb profile as its profile. | ||
| - | * Add the **NAS device**. | ||
| - | * Create a **Dynamic Login Page** for **Funky Bean There** and upload the logo and graphics for the slideshow. | ||
| - | |||
| - | -------------- | ||
| - | |||
| - | ===== Add a Realm ===== | ||
| - | * Click on **Menu -> Realms & Providers -> Realms** to open the Realm management applet. | ||
| - | |||
| - | <WRAP center round alert 60%> | ||
| - | **Hey!!** There is already a realm listed here | ||
| - | |||
| - | * If there happen to be a realm listed already which you did not intend to have listed, it is because that realm has the **Make available to sub-providers** option checked. | ||
| - | * To fix this you have to log out as the current Access Provider and log in as root. | ||
| - | * Now you can remove the unwanted realm by un-checking that option. | ||
| - | * Log in again as the Access Provider for **Funky Bean There**. | ||
| </ | </ | ||
| - | * Click on the plus sign in the toolbar and add the new realm. | ||
| - | * Also be sure to upload a logo for the realm | ||
| - | Next we will tackle the **Profile** | ||
| + | ---------------- | ||
| - | ----------- | ||
| + | <WRAP center round box 100%> | ||
| - | ===== Add a Profile and Profile Components | + | ===== Your First Setup ===== |
| - | * Go **Menu -> Profiles -> Profiles** to open the Profile management applet. | + | * [[ technical_discussions: |
| - | * There will most probably already be a list of available profiles which is selectable but not editable since you are logged in as an Access Provider | + | * [[technical_discussions: |
| - | * Add your own new profile and make it **NOT** available | + | |
| - | * We will call it **Funky_Free**. | + | |
| - | | + | * [[technical_discussions: |
| + | | ||
| + | | ||
| - | ==== Profile Components ==== | ||
| - | * Go **Menu -> Profiles -> Profile Components** to open the Profile Component management applet. | ||
| - | * We will create two Profile Components. | ||
| - | * One to control the bandwidth of each connection. | ||
| - | * One to control the daily usage. | ||
| - | * To control the bandwidth we create a Profile Component called **BW-512Kb** with the following: | ||
| - | |||
| - | ^Type | ||
| - | |Reply | FreeRADIUS internal | ||
| - | |Reply | WISPr | WISPr-Bandwidth-Max-Up | ||
| - | |Reply | WISPr | WISPr-Bandwidth-Max-Down | ||
| - | |||
| - | * To control usage that will reset daily **and** limit data to 500M we create a Profile Component called **Data-500M** with the following: | ||
| - | |||
| - | ^Type | ||
| - | |Reply | FreeRADIUS internal | ||
| - | |Check | FreeRADIUS Custom | ||
| - | |Check | FreeRADIUS Custom | ||
| - | |Check | FreeRADIUS Custom | ||
| - | |Check | FreeRADIUS Custom | ||
| - | |||
| - | ==== Connecting the Profile Components to the Profile ==== | ||
| - | * Go back to Profile manager applet and select the the **Funky_Free** profile then click on the **edit** button in the toolbar. | ||
| - | * Select the **Add component** action and then select a Profile component (The BW-512Kb and Data-500M Profile Components) from the list along with a **Priority**. | ||
| - | * The default **Priority** of 100 for both should be fine since these two profile components do not have attributes in common which my cause contention. | ||
| - | |||
| - | Next we will create a **Permanent User** that will be used for the **Click-to-Connect** user | ||
| - | |||
| - | ------- | ||
| - | |||
| - | ===== Create the Click-to-Connect user ===== | ||
| - | * Go **Menu -> Permanent Users -> Permanent Users** to open the Permanent Users management applet. | ||
| - | * Create a permanent user called **click_to_connect@fbt-01**. | ||
| - | * Give it the password of **click_to_connect** | ||
| - | * Select the **Funky Been There** Realm and the **Funky_Free** Profile. | ||
| - | * Also ensure that the **Cap type for Data** says on **Hard**. | ||
| - | * After you created this user, run a **Test RADIUS** on him (Under Extra actions) to ensure you get the following reply attributes: | ||
| - | * ChilliSpot-Max-Total-Octets = 500000000 | ||
| - | * Mikrotik-Total-Limit = 500000000 | ||
| - | * WISPr-Bandwidth-Max-Up = 512000 | ||
| - | * WISPr-Bandwidth-Max-Down = 512000 | ||
| - | * This shows the counter is alive and well. | ||
| - | |||
| - | ==== Whats in a name? ==== | ||
| - | * You may wonder why we call the **Click-to-Connect** user **click_to_connect@fbt-01**. | ||
| - | * The name can be broken up in two parts. | ||
| - | * The first part is everything before the **@**. | ||
| - | * The last part is everything after the **@**. | ||
| - | * The user's password has to be the same as the first part e.g. click_to_connect. | ||
| - | * The second part will be automatically added by the login pages when the user clicks the **Click-to-connect** button and is determined by a the configuration of the Dynamic login pages. | ||
| - | |||
| - | Time to tackle the last bit which is the **NAS device** and **Dynamic login pages** and see how it all comes together. | ||
| - | |||
| - | |||
| - | --------- | ||
| - | |||
| - | ===== Add the NAS device ===== | ||
| - | * Click on **Menu -> NAS devices -> NAS devices** to open the NAS devices management applet. | ||
| - | * Since the Coova Chilli captive portal used by **Funky Bean There** comes from an unknown IP Address we will add a NAS device with connection type **Dynamic client**. | ||
| - | * We will use the value of **nasid** specified in the Coova Chilli set-up to uniquely identify the incoming connection. | ||
| - | * We assume that it was specified as **fbt-01** (Short for Funky Been There - 01). The value of **nasid** will then be used by Coova-Chilli in the RADIUS requests which it sends out to the RADIUS server in the form of the **NAS-Identifier** attribute. | ||
| - | * After you selected **Dynamic client** you can specify **Unique AVP combination** as **NAS-Identifier** and the value **fbt-01** in the **Dynamic AVP detail** sub-tab. | ||
| - | * On the **NAS** sub-tab you can specify the **Name** also as **fbt-01** (It is a good convention to keep them the same) along with a shared secret. This shared secret is the same as the one defined in the Coova Chilli configuration. | ||
| - | * The realms should only show the **Funky Been There** realm. | ||
| - | <WRAP center round tip 60%> | ||
| - | When you do this action as the root user; the list of realms will change depending weather you decide to make a NAS device **available to sub-providers** or not. | ||
| - | </ | ||
| - | * After you added the device; be sure to edit it again and ensure that the **NAS -> Optional info** sub-tab also have the NAS-Identifier specified as **fbt-01**. | ||
| - | * Save you work and wait at least 10 minutes to allow the cron job to restart the FreeRADIUS server in order for this device to be added. | ||
| - | <WRAP center round tip 60%> | ||
| - | This cron entry runs a script to check if FreeRADIUS needs a restart | ||
| - | <code bash> | ||
| - | #Every 10 minutes to keep it stable | ||
| - | */10 * * * * www-data / | ||
| - | </ | ||
| </ | </ | ||
| - | |||
| - | Now that we have the NAS device added to RADIUSdesk; we can do the **Dynamic Login page** | ||
| - | ------- | + | -------------------- |
| - | ===== Add a Dynamic login page ===== | ||
| - | * Click on **Menu -> Dynamic login pages** to open the Dynamic login pages management applet. | ||
| - | <WRAP center round alert 60%> | + | <WRAP center round box 100%> |
| - | **Hey!!** There is already some login pages listed here | + | ===== User Howto' |
| + | * [[user_guide: | ||
| + | * [[user_guide: | ||
| + | * [[ user_guide: | ||
| + | * [[user_guide: | ||
| + | * [[ user_guide: | ||
| + | * [[ user_guide: | ||
| + | * [[ user_guide: | ||
| + | * [[user_guide: | ||
| - | * If there happen to be login pages listed already which you did not intend to have listed, it is because that realm has the **Make available to sub-providers** option checked. | ||
| - | * To fix this you have to log out as the current Access Provider and log in as root. | ||
| - | * Now you can remove the unwanted login pages by un-checking that option. | ||
| - | * Log in again as the Access Provider for **Funky Bean There**. | ||
| </ | </ | ||
| - | * Click on the plus sign in the toolbar and add the new Dynamic login page. | ||
| - | * Add your own new Dynamic login page and make it **NOT** available to sub-providers. | ||
| - | * After you added the Dynamic Login page you can further edit it by uploading photos for the slideshow. | ||
| - | |||
| - | ==== Add missing rights for Access Providers ==== | ||
| - | * If you have an older install of RADIUSdesk be sure to check and add the following rights. | ||
| - | * This is a once-off action that is required. | ||
| - | * Log in as **root**. | ||
| - | * Click on **Menu -> Tools -> Rights manager** to open the Rights manager applet. | ||
| - | * On the first tab (Access Control Objects) select: **Access Control Objects (ACOs) -> Access Providers -> Controllers -> DynamicDetails** | ||
| - | * Then **Add** the following: | ||
| - | * edit_settings | ||
| - | * edit_click_to_connect | ||
| - | * On the second tab (Access Provider Rights) select: **Default Access Provider rights -> Controllers -> DynamicDetails** | ||
| - | * Then **Allow** the following (the newly added rights): | ||
| - | * edit_settings | ||
| - | * edit_click_to_connect | ||
| - | * As we stated at the beginning, this is a once-off addition that will enable the Access Providers to utilize the enhancements to the Dynamic login pages. | ||
| - | |||
| - | ==== Dynamic keys ==== | ||
| - | * We use the Dynamic keys to determine which Dynamic login page to serve. | ||
| - | * The Dynamic keys is simply one of the items in the query string of the login page (the one which you decided) that will be used to **connect** the captive portal with a pre-defined Dynamic login page. | ||
| - | * We will use **nasid**. | ||
| - | * With our captive portal setup we will have a login page that contains // | ||
| - | * Add this -> Name = nasid; Value = fbt-01 and Priority =1. | ||
| - | |||
| - | |||
| - | ==== Settings | ||
| - | * This tab specifies things such as: | ||
| - | * A URL containing T& | ||
| - | * Slideshow option for the photos | ||
| - | * Redirect once authenticated | ||
| - | ==== Click to connect | ||
| - | * This is another tab we are interested in. | ||
| - | * Select the **Enable** option to activate it. | ||
| - | * Then specify the **Connect as** as **click_to_connect** (in other words, the //first part// of the name you given the permanent Click-to-Connect user we created earlier.) | ||
| - | * **Add suffix of** we will specify as **nasid**. This will result that the Click-to-Connect button will build a username of **click_to_connect@fbt-01** which in turn must correspond to the Click-to-Connect user we defined earlier. (Remember the URL contains // | ||
| - | <WRAP center round info 60%> | ||
| - | You can choose any of the elements in the query string and are not forced to use nasid. Another common one is **ssid** (provided it is defined in Coova Chilli) | ||
| - | </ | ||
| - | |||
| - | * You also have the option to only offer a Click-to-Connect system. | ||
| - | |||
| - | This brings us to the end of all the preparation. Time for testing ;-) | ||
| + | --------- | ||